Meltdown BUG: What about KVM/Xen/Docker/OpenVZ/LXC/PV-Xen/HyperV?

Different Variants: Meltdown and Spectre

This article discusses only Meltdown and its affect on hypervisor environments since it is the easiest to implement. Note that Spectre is capable leaking hypervisor memory from all hypervisors running on affected processors (Intel and possibly AMD, ARM) but it is both more difficult to exploit and to mitigate. Please read on to understand how Meltdown affects your virtualization stack:

How Meltdown Affects Virtualized Environments

Every hosting provider held their breath over the past week wondering if the as-of-yet undisclosed Intel hardware bug now released as “Meltdown” would affect their visualization stack. They all want to know: is this a hypervisor escalation!? Here in this post we use the word “affected” meaning guest-to-hypervisor memory read access.

The Meltdown bug enables reading memory from address space represented by the same pagetable—anyone using virtual page tables is unaffected between virtual tables. That is, Guest-to-Host pagetables are unaffected, only Guest-to-Guest or Host-to-Host, and of course Host-to-Guest since the host can already access the guest pages.

For a hosting provider this means different customer VMs on the same fully-virtualized hypervisor cannot access each others’ data—but—different users on the same guest instance can access each others’ data. This latter part holds true for non-virtualized hardware as well: users under the same OS kernel can access each others’ data. Thus, containers are affected!

Which Technologies Are Affected?

Fully virtualized technologies are not affected in the sense that guests cannot access host (hypervisor) memory. However, an unprivileged guest process can still access privileged (and other unprivileged) guest process memory pages. Container-based technologies are affected by Meltdown across container boundaries.

If you cannot do #1, your best option is to install Linux 4.15-rc6 or one of the supported vanilla kernel patches in the link above. On all systems. Yes, 4.15-rc6 is a release candidate, but this kernel is receiving wide spread testing because of this bug.

If this is not an option and you mostly trust the code running inside of the container, then you could run your container instances under KVM to isolate them from eachother to protect your guests and privileged container.

If running Xen-PV, switch everything to Xen-HVM and hope for the best. Many operating systems will boot in either environment unless your guest kernel was built specific to Xen PV—but there could be driver issues between the two.

If you do not trust your users on a single host, then your best option is #1 above.

Remember, the only real fix is to install an updated kernel on all servers, physical or virtual. Solutions 3and 4 only mitigate the problem since the guest is still vulnerable to interprocess memory reads.

Help!

We can help! Just give us a call or send an email so we can make a plan and get you running secure, once again!

2 thoughts on “Meltdown BUG: What about KVM/Xen/Docker/OpenVZ/LXC/PV-Xen/HyperV?”

For Meltdown, the guest OS doesn’t need to be patched to protect the hypervisor—however—the guest OS needs to be patched to protect the guest OS. For Spectre, you will need a microcode update for your CPU as well as software patches.

I know you are always on top of things, and I trust you. I know I am being taken care of and I know you always do the best you can under the different circumstances you are confronted with. You always follow through, and follow-up. You communicate well. Your prices and charges are fair. You work quickly.

Joe Crestuk, President/CEO
webSURGE digital marketing

I requested help to configure an email server and Eric did an excellent job of setting that up for me.

Charlie KreiderAviation Weather

Linux Global Security has been providing our company’s IT support for the past few years. We always get a very fast response and solution to our problems. Great A+ service and highly recommended!

Robert DiMaggio, CEOIronMag Labs

Eric is very knowledgable in his area of expertise. He is fast with communication and very easy to work with.

Matt Prados, FounderGotcha Local

Eric and his team are top-notch Linux experts. We had a server compromised with malware a few years ago which Eric was able to migrate to a new server, patch and mitigate in fairly short order.

Joe Crestuk, President/CEOwebSURGE digital marketing

Our experience with your service was excellent. I appreciated the quick, professional response. The Linux world can be challenging but your expertise made the project seem simple!

Mark Woodbury, IT ManagerSlidematic Precision Components

Eric is extremely knowledgable and efficient. His understanding of servers and security is top notch.

Eric SteenstraCommerce Strategies

We have been completely satisfied with the level of service, expertise, and professionalism that we receive from you on an ongoing basis. I sleep better at night knowing that our servers and network are constantly updated, secured, and monitored. We are still a small company but we are growing fast and we look forward to expanding our relationship with you as we continue to grow.

Bob DuncanBlindster.com

I have used Eric Wheeler and his team at Global Linux Security multiple times. There is a reason for this: if you want the highest level of professional skill and a take charge attitude, Global Linux Security is the company for you. We’ve truly found that Eric and his company just get it done––once you give them a problem to tackle they solve it and they solve it quickly.

Wayne D. McFarland, Managing PartnerVexillum LLC

We’ve been using Linux Global to take care of our web server and network for several years now. In short, they are great. Always quick to respond, and always fix the problem. They are super easy to deal with and to understand- and very fairly priced. With Linux Global on board, our network and server worries are way down. If something happens, they will be right on it. Very highly recommended.

Pat FranzTerraCycle, Inc.

We have always received great service from Eric and his team when we have issues to deal with.

Sande CaplinSande Caplin & Associates

Working with Global Linux Security has been a true pleasure. When I joined MedXCom, I had a huge task in stabilizing and fixing our software while migrating it all into the cloud. Looking back over the last year and a half, I can’t see how we could have ended up with a better solution without his help.

Jason Berry, Lead DeveloperMedXCom

The experience with your company has been extraordinary; the response time has been quick and everything is resolved timely and professionally. Every solution has included an explanation which has been very helpful. Another point is on your website you make the comment “There is not a problem we cannot resolve”. Well in my case this has been accurate.

You have been able to recover logs and to help us ferret out hacking issues which have been a continuing problem for us, especially since we are in the elections industry. I feel very confident in the security of our web servers as you have protected them with certificates and monitoring.

Jon Winchester
Logicworks Systems, Inc.

Tell us how we may be of service

Please tell us about yourself so we can get started:

(Use this form or email us directly at [JAVASCRIPT IS REQUIRED (Spam Countermeasure)].

The more information you provide, the more we can help.All of this content is private: this is only to contact you and never used by any third party.